Dear All,
Our is fedora 11...
How can we enable the following of firewall function ( modules ), then the ftp server is good for working ?
modprobe ip_tables modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp
Due to trying the following cmd under fc 11:
[~]# modprobe ip_tables WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_tables not found. [~]#
Thanka !
Edward.
Am Montag, den 08.03.2010, 22:45 +0800 schrieb Edward. S. P. Leong:
Our is fedora 11...
Mine is F12.
How can we enable the following of firewall function ( modules ), then the ftp server is good for working ? modprobe ip_tables
# lsmod|grep tables ip6_tables 9409 1 ip6table_filter
# modprobe ip_tables FATAL: Module ip_tables not found.
# lsmod|grep ip ip6t_REJECT 3394 2 nf_conntrack_ipv6 14859 2 ip6table_filter 2227 1 ip6_tables 9409 1 ip6table_filter ipv6 223738 22 ip6t_REJECT,nf_conntrack_ipv6 dm_multipath 12324 0
therefore, there's no such module, suppose I.
modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp
# modprobe ip_nat_ftp # modprobe ip_conntrack FATAL: Module ip_conntrack not found. # modprobe ip_conntrack_ftp
You do not show the output of this three commands, this is mine.
Matches your setup? ---------------------------------------------- Rodolfo Alcazar Portillo - nospaze@gmail.com otbits.blogspot.com / counter.li.org: #367962 ---------------------------------------------- Apr 13 11:05:20 apollo13 fsck[3927]: root, we have a problem. -- Jeff Gostin
NoSpaze wrote:
Am Montag, den 08.03.2010, 22:45 +0800 schrieb Edward. S. P. Leong:
Our is fedora 11...
Mine is F12.
How can we enable the following of firewall function ( modules ), then the ftp server is good for working ? modprobe ip_tables
# lsmod|grep tables ip6_tables 9409 1 ip6table_filter
# modprobe ip_tables FATAL: Module ip_tables not found.
# lsmod|grep ip ip6t_REJECT 3394 2 nf_conntrack_ipv6 14859 2 ip6table_filter 2227 1 ip6_tables 9409 1 ip6table_filter ipv6 223738 22 ip6t_REJECT,nf_conntrack_ipv6 dm_multipath 12324 0
therefore, there's no such module, suppose I.
modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp
# modprobe ip_nat_ftp # modprobe ip_conntrack FATAL: Module ip_conntrack not found. # modprobe ip_conntrack_ftp
You do not show the output of this three commands, this is mine.
Matches your setup?
Dear You,
Mine in here : []# modprobe ip_tables WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_tables not found. []# modprobe ip_nat_ftp WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. []# modprobe ip_conntrack WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_conntrack not found. []# modprobe ip_conntrack_ftp WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
So, is there any solution for me ?
Thanks !
Am Dienstag, den 09.03.2010, 23:09 +0800 schrieb Edward. S. P. Leong:
NoSpaze wrote:
# modprobe ip_tables FATAL: Module ip_tables not found.
Again: this module does not exist! Maybe ip_nat or nf_nat?
# modprobe ip_nat_ftp # modprobe ip_conntrack FATAL: Module ip_conntrack not found. # modprobe ip_conntrack_ftp You do not show the output of this three commands, this is mine. Matches your setup?
Dear You, Mine in here : []# modprobe ip_tables WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_tables not found. []# modprobe ip_nat_ftp WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. []# modprobe ip_conntrack WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_conntrack not found.
(same as mine)
[]# modprobe ip_conntrack_ftp WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Ok. maybe some names are messed up on your modules.conf, maybe you have names like nf_nat_ftp and nf_conntrack_ftp. Check this commands outputs:
# ls -l /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/
# modinfo nf_nat_ftp nf_conntrack_ftp
filename: /lib/modules/2.6.32.9-67.fc12.i686/kernel/net/ipv4/netfilter/nf_nat_ftp.ko alias: ip_nat_ftp description: ftp NAT helper author: Rusty Russell rusty@rustcorp.com.au license: GPL srcversion: F92EE3A32D64466A49CF33B depends: nf_nat,nf_conntrack_ftp vermagic: 2.6.32.9-67.fc12.i686 SMP mod_unload 686
filename: /lib/modules/2.6.32.9-67.fc12.i686/kernel/net/netfilter/nf_conntrack_ftp.ko alias: nfct-helper-ftp alias: ip_conntrack_ftp description: ftp connection tracking helper author: Rusty Russell rusty@rustcorp.com.au license: GPL srcversion: BCE75C1712FB8C7DF825917 depends: vermagic: 2.6.32.9-67.fc12.i686 SMP mod_unload 686 parm: ports:array of ushort parm: loose:bool
# cat /proc/modules |grep nf
nf_nat_ftp 2452 0 - Live 0xf7dad000 nf_nat 15785 1 nf_nat_ftp, Live 0xf8881000 nf_conntrack_ftp 9435 1 nf_nat_ftp, Live 0xf8857000 nf_conntrack_ipv6 14859 2 - Live 0xf9ee2000 ipv6 223738 22 ip6t_REJECT,nf_conntrack_ipv6, Live 0xf9e76000
So, is there any solution for me ?
Good: read, fix. Bad: update/reinstall. Ugly: pay. Greets. ---------------------------------------------- Rodolfo Alcazar Portillo - nospaze@gmail.com otbits.blogspot.com / counter.li.org: #367962 ---------------------------------------------- An ASCII character walks into a bar and orders a double. "Having a bad day?" asks the barman. "Yeah, I have a parity error," replies the ASCII character. The barman says, "Yeah, I thought you looked a bit off." -- Skud
Dear you ,
In Fedora 9, the iptables function config is good for working as the following : modprobe ip_tables modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp
iptables -F iptables -X iptables -F -t nat iptables -X -t nat iptables -F -t mangle iptables -X -t mangle
iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P POSTROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT
BUT now, how to re-config the format for applying to FC11 system ? eg: include the following ?
modprobe ip_tables modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp
Thanks !
On 03/09/2010 07:47 PM, NoSpaze wrote:
Am Dienstag, den 09.03.2010, 23:09 +0800 schrieb Edward. S. P. Leong:
NoSpaze wrote:
# modprobe ip_tables FATAL: Module ip_tables not found.
Again: this module does not exist! Maybe ip_nat or nf_nat?
To clarify, several kernels ago the IPV4 iptables was defaulted to being built into the kernel so it doesn't need a modprobe or insmod. Ditto with the IPV4 conntrack (snippet of the default kernel config file):
CONFIG_NF_DEFRAG_IPV4=y <<<---- Built into kernel CONFIG_NF_CONNTRACK_IPV4=y <<<---- Built into kernel # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set CONFIG_IP_NF_QUEUE=m <<<---- Module CONFIG_IP_NF_IPTABLES=y <<<---- Built into kernel
So remove those items from your /etc/modprobe.conf file. It is also not necessary to modprobe things like the NAT module and such...if there are rules in your iptables config that require them, they'll be drug in by iptables itself. The "modprobe"able modules can be found by doing a
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
Note that the IPV6 versions of those modules ARE built as modules and will need to be either modprobed or drug in as part of the iptables rulesets.
Keep in mind that the /etc/modprobe.conf file has been deprecated in favor of the /etc/modprobe.d/local.conf file.
# modprobe ip_nat_ftp # modprobe ip_conntrack FATAL: Module ip_conntrack not found. # modprobe ip_conntrack_ftp You do not show the output of this three commands, this is mine. Matches your setup?
Dear You, Mine in here : []# modprobe ip_tables WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_tables not found. []# modprobe ip_nat_ftp WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. []# modprobe ip_conntrack WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_conntrack not found.
(same as mine)
[]# modprobe ip_conntrack_ftp WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
Ok. maybe some names are messed up on your modules.conf, maybe you have names like nf_nat_ftp and nf_conntrack_ftp. Check this commands outputs:
# ls -l /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/
# modinfo nf_nat_ftp nf_conntrack_ftp
filename: /lib/modules/2.6.32.9-67.fc12.i686/kernel/net/ipv4/netfilter/nf_nat_ftp.ko alias: ip_nat_ftp description: ftp NAT helper author: Rusty Russellrusty@rustcorp.com.au license: GPL srcversion: F92EE3A32D64466A49CF33B depends: nf_nat,nf_conntrack_ftp vermagic: 2.6.32.9-67.fc12.i686 SMP mod_unload 686
filename: /lib/modules/2.6.32.9-67.fc12.i686/kernel/net/netfilter/nf_conntrack_ftp.ko alias: nfct-helper-ftp alias: ip_conntrack_ftp description: ftp connection tracking helper author: Rusty Russellrusty@rustcorp.com.au license: GPL srcversion: BCE75C1712FB8C7DF825917 depends: vermagic: 2.6.32.9-67.fc12.i686 SMP mod_unload 686 parm: ports:array of ushort parm: loose:bool
# cat /proc/modules |grep nf
nf_nat_ftp 2452 0 - Live 0xf7dad000 nf_nat 15785 1 nf_nat_ftp, Live 0xf8881000 nf_conntrack_ftp 9435 1 nf_nat_ftp, Live 0xf8857000 nf_conntrack_ipv6 14859 2 - Live 0xf9ee2000 ipv6 223738 22 ip6t_REJECT,nf_conntrack_ipv6, Live 0xf9e76000
So, is there any solution for me ?
Good: read, fix. Bad: update/reinstall. Ugly: pay. Greets.
Rodolfo Alcazar Portillo - nospaze@gmail.com otbits.blogspot.com / counter.li.org: #367962
An ASCII character walks into a bar and orders a double. "Having a bad day?" asks the barman. "Yeah, I have a parity error," replies the ASCII character. The barman says, "Yeah, I thought you looked a bit off." -- Skud
Rick Stevens wrote:
On 03/09/2010 07:47 PM, NoSpaze wrote:
Am Dienstag, den 09.03.2010, 23:09 +0800 schrieb Edward. S. P. Leong:
NoSpaze wrote:
# modprobe ip_tables FATAL: Module ip_tables not found.
Again: this module does not exist! Maybe ip_nat or nf_nat?
To clarify, several kernels ago the IPV4 iptables was defaulted to being built into the kernel so it doesn't need a modprobe or insmod. Ditto with the IPV4 conntrack (snippet of the default kernel config file):
CONFIG_NF_DEFRAG_IPV4=y <<<---- Built into kernel CONFIG_NF_CONNTRACK_IPV4=y <<<---- Built into kernel # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set CONFIG_IP_NF_QUEUE=m <<<---- Module CONFIG_IP_NF_IPTABLES=y <<<---- Built into kernel
So remove those items from your /etc/modprobe.conf file. It is also not necessary to modprobe things like the NAT module and such...if there are rules in your iptables config that require them, they'll be drug in by iptables itself. The "modprobe"able modules can be found by doing a
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
Hello to you,
Would you mind to tell me how to apply the following iptables module into FC11 System ?
ip_nat_ftp ip_conntrack_ftp
Thanks !
Edward.
On 03/11/2010 08:17 AM, Edward. S. P. Leong wrote:
Rick Stevens wrote:
On 03/09/2010 07:47 PM, NoSpaze wrote:
Am Dienstag, den 09.03.2010, 23:09 +0800 schrieb Edward. S. P. Leong:
NoSpaze wrote:
# modprobe ip_tables FATAL: Module ip_tables not found.
Again: this module does not exist! Maybe ip_nat or nf_nat?
To clarify, several kernels ago the IPV4 iptables was defaulted to being built into the kernel so it doesn't need a modprobe or insmod. Ditto with the IPV4 conntrack (snippet of the default kernel config file):
CONFIG_NF_DEFRAG_IPV4=y<<<---- Built into kernel CONFIG_NF_CONNTRACK_IPV4=y<<<---- Built into kernel # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set CONFIG_IP_NF_QUEUE=m<<<---- Module CONFIG_IP_NF_IPTABLES=y<<<---- Built into kernel
So remove those items from your /etc/modprobe.conf file. It is also not necessary to modprobe things like the NAT module and such...if there are rules in your iptables config that require them, they'll be drug in by iptables itself. The "modprobe"able modules can be found by doing a
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
Hello to you,
Would you mind to tell me how to apply the following iptables module into FC11 System ?
ip_nat_ftp ip_conntrack_ftp
You should just write the rules you need. The kernel should be set up to autoload the modules it needs to support your rules. If you're in doubt, use the "-m modulename" option in the rule, e.g.
... -m nf_nat_ftp -s 10.1.0.0/24 ....
---------------------------------------------------------------------- - Rick Stevens, Systems Engineer ricks@nerd.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - "Hello. My PID is Inigo Montoya. You `kill -9'-ed my parent - - process. Prepare to vi." - ----------------------------------------------------------------------
To clarify, several kernels ago the IPV4 iptables was defaulted to being built into the kernel so it doesn't need a modprobe or insmod. Ditto with the IPV4 conntrack (snippet of the default kernel config file):
CONFIG_NF_DEFRAG_IPV4=y <<<---- Built into kernel CONFIG_NF_CONNTRACK_IPV4=y <<<---- Built into kernel # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set CONFIG_IP_NF_QUEUE=m <<<---- Module CONFIG_IP_NF_IPTABLES=y <<<---- Built into kernel
So remove those items from your /etc/modprobe.conf file. It is also not necessary to modprobe things like the NAT module and such...if there are rules in your iptables config that require them, they'll be drug in by iptables itself. The "modprobe"able modules can be found by doing a
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
Would you mind to tell me how to apply the following iptables module into FC11 System ? ip_nat_ftp ip_conntrack_ftp
It seems to me that there has been an email pointing out that ip_conntrack_ftp has been replaced by nf_conntrack_ftp and ip_nat_ftp by nf_nat_ftp.
Rick Stevens wrote:
On 03/11/2010 08:17 AM, Edward. S. P. Leong wrote:
Rick Stevens wrote:
On 03/09/2010 07:47 PM, NoSpaze wrote:
Am Dienstag, den 09.03.2010, 23:09 +0800 schrieb Edward. S. P. Leong:
NoSpaze wrote:
# modprobe ip_tables FATAL: Module ip_tables not found.
Again: this module does not exist! Maybe ip_nat or nf_nat?
To clarify, several kernels ago the IPV4 iptables was defaulted to being built into the kernel so it doesn't need a modprobe or insmod. Ditto with the IPV4 conntrack (snippet of the default kernel config file):
CONFIG_NF_DEFRAG_IPV4=y<<<---- Built into kernel CONFIG_NF_CONNTRACK_IPV4=y<<<---- Built into kernel # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set CONFIG_IP_NF_QUEUE=m<<<---- Module CONFIG_IP_NF_IPTABLES=y<<<---- Built into kernel
So remove those items from your /etc/modprobe.conf file. It is also not necessary to modprobe things like the NAT module and such...if there are rules in your iptables config that require them, they'll be drug in by iptables itself. The "modprobe"able modules can be found by doing a
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
Hello to you,
Would you mind to tell me how to apply the following iptables module into FC11 System ?
ip_nat_ftp ip_conntrack_ftp
You should just write the rules you need. The kernel should be set up to autoload the modules it needs to support your rules. If you're in doubt, use the "-m modulename" option in the rule, e.g.
... -m nf_nat_ftp -s 10.1.0.0/24 ....
Hello,
I just tried the following cli in server side :
[root@host1 ~]# iptables -A INPUT -i eth1 -p tcp --dport 21 -m nf_nat_ftp -s 192.168.1.0/24 -d 192.168.1.254 -j ACCEPT iptables v1.4.3.1: Couldn't load match `nf_nat_ftp':/lib/xtables/libipt_nf_nat_ftp.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information. [root@host1 ~]#
Is there any solution for it ?
Thanks !
Edward.
-
Edward S.P. Leong -
NoSpaze -
Rick Stevens -
Tom H